Bitweaver and Browser Cookies

All about browser cookies in bitweaver

Created by: Stephan Borg, Last modification: 01 Sep 2006 (15:52 UTC)
Note: This is not about the tag-line cookies found in the kernel (we really need to rename those...)


Introduction - Where are Cookies Used in Bitweaver?

This page is an explanation of the use of browser cookies in Bitweaver. Hopefully, it will help developers to understand the different types of cookies used in bitweaver and help with consistency and standardisation of their use.

Types

There are a number of types of cookies used in bitweaver.

  1. The session cookie that is used to track user session within Bitweaver. The cookie session name has changed over the versions, PHPSESSID in Bonnie (which is actually generated by PEAR:Auth), TIKISESSION in ReleaseOne, and now BWSESSION in ReleaseTwo.
  2. The user authentication cookie, that is used to track authenticated users and can be used to share information across Bitweaver sites using the Remember Me functionality. These cookies should only use the Remember Me cookie settings (cookie_path and cookie_domain), if the Remember Me feature is enabled. The cookie session name has changed over the versions, tiki-user-bitweaver in Bonnie and ReleaseOne, and now bit-user-bitweaver in ReleaseTwo.
  3. The tz_offset cookie is used to calculate client time zone information. Bitweaver initially checks if there is a preferred time zone set in the user preferences, and will use this if so. Otherwise, the server's time zone is used and stored in the tz_offset cookie. This value is calculated using Javascript in kernel/tiki.js in Bonnie and ReleaseOne, and util/javascript/bitweaver.js in ReleaseTwo. The setting should be site specific and should not have any references to the Remember Me cookie_path and cookie_domain settings.
  4. Menu and Module Open/Closed Status - Theses cookies are used to keep track of open or closed menus and modules between sessions ($package+admenu, layoutadmenu, $custom+menu, $module_title). These are stored using Javascript in kernel/tiki.js in Bonnie and ReleaseOne, and util/javascript/bitweaver.js in ReleaseTwo. The setting should be site specific and should not have any references to the Remember Me cookie_path and cookie_domain settings.
  5. Switch Theme Module (tiki-theme) - Previously used to temporarily change the theme using a drop-down module, the current theme was stored in this cookie. This code should be deprecated and changed to use the User Preferences Theme setting, rather than using this method.
  6. Javascript Tabs (webfxtab_) - Javascript Tab selections are stored in this cookie and currently are not configured explicitly by Bitweaver in anyway.

Issues

Currently there are a few issues outlined below.

  • Number of cookies per site
    • Previously there was a limit reached by the number of cookies produced per site. Every open and closed state of menus was stored in a cookie value, which quickly increased the numbers. The solution is likely to use arrays to serialise menu status and minimise the number of cookies for this purpose.

  • Remember Me problems
    • The Remember Me option (Administration / Users / Login Settings) has been designed to allow a single bitweaver site to authenticate a user and then use this authenticated session for other bitweaver sites. Currently, if the user explicitly enters the incorrect cookie_domain (without the wildcard prefix '.'), it causes problems.
    • Previously cookie_path and cookie_domain settings were stored in prefernces, even if they were the defaults. After an upgrade, possibly to another site, these settings would prevent authentication with or without Remember Me option enabled. This has been fixed in the R2 upgrade process.

  • Cookie Path problems
    • Due to Bitweaver's multi-level packages, generation of cookies and their cookie path references, need to be controlled. Without this control, cookies are generated with paths from all over the installation causing large numbers of cookies and incorrect cookie references. Even with Remember Me functionality disabled, the default cookie_path should be BIT_ROOT_URL and default cookie_domain an empty string, to prevent this problem.

What are Cookie Defaults?

  • Cookie Path = URL Path where Bitweaver is installed. Default is BIT_ROOT_URL, the URL path where Bitweaver is installed.
  • Cookie Domain = URL Server Name - When server name is supplied to cookie parameters, it prefixes it with a '.' wildcard. To explicitly use the server name, you need to provide an empty string ("") in the cookie parameters. Default is empty string, which uses the explicity server name.